CVE-2025-40545
📋 TL;DR
SolarWinds Observability Self-Hosted has an open redirection vulnerability where authenticated attackers can manipulate URLs to redirect users to malicious sites. This affects organizations running vulnerable versions of SolarWinds Observability Self-Hosted. The attack requires authentication and has high complexity, limiting immediate widespread exploitation.
💻 Affected Systems
- SolarWinds Observability Self-Hosted
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could redirect users to phishing sites that steal credentials or deliver malware, potentially leading to account compromise or system infection.
Likely Case
Limited phishing campaigns targeting authenticated users within affected organizations, potentially leading to credential theft from redirected sessions.
If Mitigated
With proper authentication controls and user awareness, impact is minimal as attackers need valid credentials and users should notice suspicious redirects.
🎯 Exploit Status
Exploitation requires authenticated access and specific URL manipulation. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.4.1 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40545
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download SolarWinds Observability Self-Hosted version 2025.4.1 or later. 3. Run installer/upgrade following SolarWinds documentation. 4. Restart services as prompted. 5. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional URL validation at web application firewall or proxy level
User Awareness Training
allTrain users to verify URLs before entering credentials on redirected pages
🧯 If You Can't Patch
- Implement strict access controls to limit authenticated user access to minimum necessary
- Deploy web application firewall with URL validation rules to detect and block redirect attempts
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Observability version in administration console. If version is earlier than 2025.4.1, system is vulnerable.Check Version:
Check via SolarWinds web interface: Admin → About, or on server: Check installation directory version filesVerify Fix Applied:
Verify version shows 2025.4.1 or later in administration console and test URL redirection functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed redirect attempts from single user sessions
Network Indicators:
- HTTP 302/301 redirects to external domains from SolarWinds URLs
- Unusual outbound connections following SolarWinds access
SIEM Query:
source="solarwinds" AND (http_status=302 OR http_status=301) AND url CONTAINS "redirect" AND NOT dest_ip IN internal_ranges